Strange scanning results with AVG Free 7.0.296!

Hi again! I have just finished my last scan against my 3518 infected samples. AVG Free 7.0.296 was within too. The strange was the very poor Exploits and BAT detecting.

Best regards,
Firefighter!

 

Firefighter, I could most likely find the answer, but hope you do not mind if I ask.
What is e-scan and how is it purchased?

Thanks,
Lon

 

Knowing FireFighter, he is probably enjoying his Saturday night beer right now

So if he does not mind;

eScan ToolKit Utility is a free AV that uses a modified Kaspersky engine; http://www.mwti.net/antivirus/free_utilities.asp

A recent thread here;
https://www.wilderssecurity.com/showthread.php?t=50463&highlight=eScan

It is an on-demand scanner which is very thorough but is very slow. It is not recommended as your primary AV as it only reports infections.

 

It really shows what a useless peace of junk AVG really is.

 

This scan does not surprize me. As a paying customer of AVG 7 (I have since switched...I know you're sick of hearing that if you've read my other posts ) The reason I switched was a lack of detection. It was mostly Exploits that were getting by AVG Pro. It was really strange. Things that it caught before SP2, it could not after. It did help me out when I was trying out Norton 2004 and I was hit with padobot, and sdbot. I think Norton got infected itself because one day my internet connection icons and links just disappeared and Norton found nothing. However, I still had AVG on my PC with the resident scanner turned off and I ran on demand scan and AVG found the nasties and cleaned them. After I fixed my WMI, things ran great again. I would go back to AVG in a heartbeat if they were to detect better beacuse the interface and operation of the prog fit me well.

 

Hi,

No offence indeed.

But how can you conclude and say those words by such a test that without exact name of malware, without methodology to prove that all malware are really functional (whether it does real threats such as Exploits and BAT) and without methodology to prove how circulating of these malware really are ?

I don't believe that AVG will offer better protection than other AV but that test is still in question. Maybe quantitive not qualitative and less is more in antivirus protection

Judgment the real quality of AV is not easy task as let the scanners scan files in question. But the accuracy of identification & catching & cleaning the (real) threat and how quick to response when the (real) threat begins circulating are count.IMHO

Some AVs can detect spyware, adware but some AVs not (what if people call or understand spyware as a virus and some AVs don't detect spyware by its design), some AVs don't detect exploit code itself but detect malware that are downloaded by exploit code instead. I think each AVs companies have their own policy for what malware that they should or should not detect.

So it is not easy to judge the real quality of AV by the amount of malware they detect.

 

Tap is correct, because more often than not, i've found that many things that AVs like Kaspersky flag as malicious, aren't. Whereas i've found DRWeb, NOD32, and MKS a bit more discriminating in what they toss into their databases.

For example, look at the following information:

[autorun]
open=C:\WINDOWS\OOBHCDGC.VBS

Place this information in a text file, and scan it with Kaspersky. It will show up as a virus. Clearly, it is NOT a virus, but might reference a file that was once a virus. But the point is, the file itself isn't malicious, and as such, it should not be labeled malicious in my opinion.

As I said, AV's like DRWeb, NOD32, and MKS pass most sniff tests like this. So to me, its pretty easy to see why some tests can be a bit misleading - no offense to firefighter.

Thats my 2 cents.

 

I save this information in a text file and scan it by Jotti's malware scan 2.42, the result as this.

 

Well if i correct this,NOD32 DOES detect it as LoveLetter.AR worm
Your string was saved into .BAT file. .TXT files itself cannot execute any such command inside so thats the reason why its not detected by majority of AVs.
Some are extra sensitive,explaining the detection of TXT file.

I also tried this string:

Code:

[autorun]
open=C:\WINDOWS\n00dle.VBS

But once again NOD32 didn't detect anything. So i guess AVs are sensitive to that specific string.

 

And last the results from AntiVir 6.29 added to the table above. Without trojan like malware quite good results with AntiVir.

PS. That Exploit what interrupted the scan with AntiVir before doesn't interrupt the scan anymore. So it's fixed.

Best regards,
Firefighter!

 

There isn't av:s that don't make FP:s. False positives are not the reason why Kaspersky seems to detect almost everything, because it is actually that damn good against everything. Besides, in my tests McAfee VSE 8.0i was able to beat Kaspersky in Script like malware and Viruses, so in this case it makes even more FP:s than KAV when that is the main reason to KAV's excellent scores.

Best regards,
Firefighter!

 

I agree with you.

In my malware collection KAV detects almost everything that throw in its way. I guess that KAV detects malware ahead of time (by its strong signature, I think) when they find or you send them new malware and no matter that malware go in the wild or take serious threat or not, if it's malware it will be added to KAV's database for sure. Whilst some other AVs will mainly focus on malware that potentailly go wild spread or take serious threat to its users, this may depend on companies' policy.

So if you compare KAV's detection rate to other AVs, it's definitely sure that KAV is the winner. This can be applied to every AVs, but it has nothing to do with real quality of other AVs that they offer to its users.

That's my 2 cents.

In my mind KAV is very damn-superb excellent against malware.

 

The poor results for AVG are consistent with other published tests. One done by a large magazine included AVG, McAfee, Norton, Trend Micro and a Fifth one that I can't remember. AVG had the lowest detection rate and the greatest number of false positives.

People like it because it is free, easy to use and does not slow down older machines. But, its junk.

 

A little harsh, I think. If you are a conservative surfer and practice safe-hex, AVG should give you adequate protection against most of the common ITW threats.

It is obviously not one of the better AV's, but hardly 'junk'.

 

AVG has been around for a very long time. It wouldn't last this long if it is NO GOOD! Most PC infections happen when there is a new and nasty bug circulating the internet. AVG will intercept these bugs. You can have Norton, but if the LiveUpdate module fails (very common with this CRAP ware), then you are unprotected with such outbreaks.

You brain is the most powerful AV program. If you don't use your brain and click on everything in view, then you should load up your PC with Kaspersky/McAfee and the various malware detectors...cause GOD isn't going to save you. And guess what? You will eventually get zapped by a bug cause there is no perfect defense. Keep the PC in the box and you will be 100% safe.

 

But sometimes, even when you are reading just news, you may get infected.

http://www.dslreports.com/forum/remark,12095594~mode=flat

Don't know how it is with Aljazeera, but it's no wonder if we can find things like these from there too.

http://english.aljazeera.net/HomePage

Best regards,
Firefighter!

 

NOD32 doesn't detect it, regardless of how you save it. Not sure why you are saying it does.. The fact is, NO AV should detect that string as a virus. I know dozens of strings like that, which will set off Kaspersky.

Sure every AV has false positives, but the fact remains, if you slam your database with everything sent, and don't discriminate with what you pack into it, then you eventually open yourself up to these kinds of things.

AV's should be very deliberate in database additions to ensure this doesn't happen.

 

This may or may not true in AVG 6 but we can see its improvement someway at least in professional test such as Virus Bulletin, latest AVG 6 and new AVG 7 have continuously got VB100% since Windows XP Professional test/June 2003. AntiVir has also got improvement in Virus Bulletin test too.

About the lowest detection rate, I don't understand why people always think AVs that have low/lowest (unconfirmed) detection rate must offer related bad protection. As far as I know some products such as Antivirus Firewall, FortiClient AV from Fortinet has always kept its database so smallest as possible by mainly focus on ITW malware, real threats, today's most dangerous malware and try to avoid add zoo malware and other non-existance malware into database to improve its speed-performance and conserve its resources to focus on real threats only.

This can make FortiClient's AV products have low or lowest (unconfirmed) detection rate if it tested with non-existance/unconfirmed malware as we can see such a test like this from time to time. But this has nothing to do with its real-world capability/detection rate.

Too little harsh, I think. Don't forget that at least AVG 6 has continuously certified by ICSA Labs and AVG has been around for a very long time. It wouldn't last this long if it is NO GOOD!

 

Many uninformed people will use a free product simply because they are unwilling to pay. Does this mean that it is good. I can relate this to the auto industry that I work in. People will buy a $20000 Kia and then wonder why they have problems with some of the simpilist things, yet the person who spent $40000 seeems to drive forever without the slightest problem with their product. Simple rule, you usually get what you pay for. In it's defence AVG is a wonderfully stable program, and I never had a day's problem with lock-up, updates or the such. And for average user's who maybe read the daily news or go to major sites it will probably work great. My own experience is that I can ill afford a virus. I do a lot of volunteer work where I send and recieve many files. The people I work with are professionals, and while many are good at what they do, they understand little about computers, operating systems or how to deal with a virus. If I send them something that knocks their computer out and they spend a day and money getting their PC fixed I bet that I hear some rather nasty feedback from them.

 

I think that for example with AntiVir and Ewido combo, you actually have very good protection because Ewido has very good worm protection too. Only one thing makes me a bit nervous, is that poor detecting rate against Exploits with AntiVir resolved simply by full patched WinXP and by using Firefox?

Best regards,
Firefighter!

 

$20K Camrys and Accords run circles around high-priced $40K German toy wagons. Why? Cause the expensive autos use unproven technologies. Plus they're far behind Toyota and Honda in consistency and attention to details.

SPC is very important with mass-produced items.

 

You could use my PC anytime you want to. I like your approach. I am particular about who I let use anything that I pay a bunch of money for. I don't trust just anyone either. Maybe that is why my machines have been infected only twice to my knowledge. And both were minor.

 

I understand your point but I think the car comparison is not a good one based on my experience. After all I'm still driving a 1994 Ford Escort with 256,000 miles on it and did not replace the motor with a used one until 185,000. Sorry I just had to say it. But back on topic as I have said before Cheap pay is always going to be better then free. Expensive does not always equal quality. Sometimes just fat salaries and dividend checks for shareholders and junk for the consumer. Longevity speaks volumns for any product.

 

Firefighter, so I take it you perform these AV tests? Do you have a site where I can see more of these tests? How about an anti-trojan test? Do you have one of those in the works? That would be nice. Or do you know of one I can look at right now?

Peace
erikguy

 

Unfortunately I don't have a site of my own. Those scanlogs of my testbeds are too large to add as an attachment, about 1/2 Megs and more each.

I don't test AT:s, the only AT that I have tested in signature scanning was Ewido 3.0. Ewido scored quite well just after eScan Free and Mks_Vir 2004 concerning Trojan like malware. To test trojans more accurate, you actually have to launch each file separately, to see if the AT really detects and disinfects these nasties, too heavy job for me.

Best regards,
Firefighter!